[elk]Mutate filter plugin增删改查字段

Mutate filter plugin参考: https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html

在线匹配:
http://grokdebug.herokuapp.com/

grok github正则:
https://github.com/kkos/oniguruma/blob/master/doc/RE

logstash grok目录:
/usr/local/logstash/vendor/bundle/jruby/1.9/gems/logstash-patterns-core-4.1.2/patterns

主要研究下这个插件的这些功能

增加字段
删除字段
拆分字段
聚合

增加字段

input { stdin { codec => "json" } }

filter {
    mutate {
        add_field => { "status_true" => "1" }
    }
}

output {
    stdout { codec => rubydebug }
}

删除字段

input { stdin { codec => "json" } }

filter {
    mutate {
        add_field => { "status_true" => "1" }
        remove_field => [isp]
    }
}

output {
    stdout { codec => rubydebug }
}

重命名字段名

input { stdin { codec => "json" } }

filter {
    mutate {
        rename => { "isp" => "province_isp" }
        remove_field => [isp]
    }
}

output {
    stdout { codec => rubydebug }
}

修改字段的值

input { stdin { codec => "json" } }

filter {
    mutate {
        replace => { "isp" => "阿里飞飞" }
    }
}

output {
    stdout { codec => rubydebug }
}

转换字段的值的类型

input { stdin { codec => "json" } }

filter {
    mutate {
        convert => { "success" => "string" }
    }
}

output {
    stdout { codec => rubydebug }
}

mutate {  
    convert => { "dest_Port" => "integer" }  
    convert => { "source_Port" => "integer" }
}  

{"mobile" : "15812345606", "province": "上海", "isp": "中国移动","time" : "2017-12-06T09:30:51.244Z", "success" : false}